WORM_SAROS.A is a non-destructive worm that propagates via email and IRC. When the infected computer system’s date is the 11th or 23rd of any month, the worm displays a message box, and modifies the default Internet Explorer home page to www.gedzac.tk. This worm is currently spreading in-the-wild, and it infects systems running Windows 95, 98, ME, NT, 2000, and XP. Upon execution, this worm displays two message boxes, purporting to be Microsoft Windows Update messages. It then drops copies of itself in the Windows system folder using the following file names: Love-ScreenSaver.scr MSOutlookInternetUpdate.exe NonYou.exe ABOUT.HTA NSTDNRDLL32.VBS The file, ABOUT.HTA is a non-malicious HTML file that displays the following: GEDZAC Labs 2004 Have a nice Program for You NonYou Coded by Sarosoft Dedicated to my Love Rosy The file NSTDNRDLL32.VBS is a malicious VBscript component of this worm that handles its propagation routine, and also contains codes that add autostart registry entries. This worm also drops a copy of itself as the following file: %Program%\Mirc\tdll32.dll (%Program% refers to the Windows program files folder) This file is an IRC (Internet Relay Chat) script that sends a copy of the worm to all users who are in the same channel as the user. It also drops a copy of itself in the network shares of many popular peer-to-peer file-sharing applications, using any of several file names. To propagate via email this worm’s VBscript component creates an email and sends it to all addresses listed in the infected user’s Windows address book. The details of the email are as follows: Subject: Microsoft Outlook News Message Body: Microsoft Outlook Update / Bug Fixed - Contact: firstname.lastname@example.org Attachment: MSOutlookInternetUpdate.exe This worm sets Microsoft Outlook to delete the mail after sending.When the infected system’s date is the 11th or 23rd of any month, the worm displays the following message box: NonYou Rosy Ti Amo - Saro & Rosy Forever Gedzac Group 2004 NonYou.a Gedzac Labs Productions Coded by Sarosoft - Dedicated to my Love Rosy Gedzac Group 2004 - http://www.gedzac.tk Gedzac The Virus Crew On the above-mentioned dates, it also modifies the default Internet Explorer home page to www.gedzac.tk. It then executes the file ABOUT.HTA. This worm also lowers the security setting of Microsoft Outlook and removes the .EXE file attachment blocking by adding registry entries. It also connects to http://windowsupdate.com. If you would like to scan your computer for WORM_SAROS.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com WORM_SAROS.A is detected and cleaned by Trend Micro pattern file 1.952.07 and above.